AI Threat Alert
CVE-2026-21858
CRITICALCVE-2026-21858 is a CVSS 10.0 unauthenticated path traversal in n8n (versions 1.65.0–1.120.x) that lets any internet attacker read—and likely write—arbitrary files on your server through public form-based workflow endpoints. If you run n8n to orchestrate AI agents, your LLM API keys (OpenAI, Anthropic, etc.), agent configurations, and every secret on that host are fully exposed. Patch to 1.121.0 immediately; if you cannot, take n8n offline and rotate every credential the host could access.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | — | No patch |
Do you use n8n? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH NOW: Upgrade to n8n 1.121.0—only complete fix. No workaround fully mitigates without losing form workflow functionality. 2. ISOLATE: If patching is blocked, immediately restrict network access to n8n (firewall/WAF) or disable form-triggered workflows at the application level. 3. ASSUME BREACH—ROTATE ALL CREDENTIALS: Treat every secret on the n8n host as compromised—rotate LLM API keys (OpenAI, Anthropic, etc.), database passwords, webhook tokens, cloud IAM credentials, and n8n encryption keys. 4. HUNT FOR EXPLOITATION: Search access logs for form endpoint requests containing path traversal patterns ('../', '%2e%2e', '..%2f') or returning anomalously large response bodies. Correlate with unusual outbound connections from the n8n host. 5. SCAN EXPOSURE: Use asset inventory or Shodan to enumerate internet-facing n8n instances across your estate—shadow IT deployments are a likely blind spot. 6. POST-PATCH HARDENING: Enable authentication on all n8n form triggers, run n8n as a least-privilege user, and ensure secrets are injected at runtime (vault) rather than stored in files accessible by the process.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
Exploitation Scenario
An attacker scans for internet-facing n8n instances using Shodan (trivial—n8n exposes identifiable HTTP headers). They identify a public form-based workflow endpoint requiring zero authentication. By submitting a crafted form payload embedding path traversal sequences (e.g., '../../../../opt/n8n/.env' or '../../../../proc/1/environ'), the server returns the n8n environment file containing OPENAI_API_KEY, ANTHROPIC_API_KEY, N8N_ENCRYPTION_KEY, and database connection URLs. With stolen LLM API keys, the attacker hijacks inference capacity for their own operations (cost fraud, data exfiltration via LLM). With database credentials, they pivot to the vector/RAG database and exfiltrate the organization's proprietary knowledge base. The write primitive implied by I:H further allows injection of malicious nodes into workflow definitions—creating a persistent backdoor that executes on every automation run, completely transparent to operators.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N